Ѯh=@s dZddlmZddlmZmZmZddlm Z m Z y$ddl m Z ddl m Z Wn2ek rddlm Z ddlm Z YnXddlmZddlmZdd lZdd lZdd lZejeZdd lZdd lZdd lZdd lZdd lZerjydd l Z Wqvek rfd Z d Z!YqvXn dd l Z dd l"Z"e rdd l#Z#ydd l$Z$Wnek rd Z$YnXdd l%Z%dd l&Z&dd l'm(Z(dd l)m*Z*m+Z+m,Z,m-Z-m.Z.m/Z/m0Z0m1Z1m2Z2m3Z3m4Z4m5Z5m6Z6dd l7m8Z8m9Z9m:Z:m;Z;m<Z<ddl=m>Z>m?Z?ddlm@Z@mAZAmBZBmCZCmDZDmEZEmFZFmGZGmHZHmIZImJZJmKZKmLZLmMZMmNZNmOZOmPZPddddddddddddddddd d!d"d#d$d%d&d'd(gZQeRejeFrVejSnejTd)d*ZUd+d,d-d.d/d0d1gZVd2d3gZWdd4l=mXZXd5ZYeGd6ZZeGd7Z[eRej\j]d8pd9Z^Gd:d;d;e_Z`eFr.ejajbZcedecejajegZfd<d=Zgn d>d=Zgd d d?d d d?d@dAZhdBdCZidDdZjejZkyddEllmmZjWnek rYnXdFdGdHZndIdJdZoe d krdIdKdZodLdZpeFrdMdNZqdOdPZrn.ddQlmsZsmtZtdRdNZqdSdPZre@eqdTe@erdUdVdZudWdXZvdYdZZwd[ZxeGd\Zyd d]d^Zzd_d`Z{daZ|e|j}dbZ~dcddZdedZdZeGdgZdhdZdidId djdZdidIdkdZeFr+didIdldZndidIdmdZe@edne8dodpdqdrdbdsdtZeddujZeddvjZedd6dwgZd dxdydzZd{d|Zydd}lmZWn<ek rd Zd?Zd?Zd?Zd Zd~dZYnXdZd\Ze$raePradejkoGdknrae$jZdZnddlmZeZd?ZeGdZeFrdZyeddWnek rd?ZYnYnXddZndZddZe@edddZe%jZeZddZyejddZWnek rQd?ZYnXd ddZervejZnejeZdd"Zdd#ZdZe8dodrdqddddedd$ZdZdd%ZdZdd&Zdd'Zdd(Zd S)z4passlib.utils -- helpers for writing password hashes)JYTHON) b2a_base64 a2b_base64Error) b64encode b64decode)Sequence)Iterable)lookup)update_wrapperNznot present under Jython)warn) BASE64_CHARS AB64_CHARS HASH64_CHARS BCRYPT_CHARS Base64EngineLazyBase64Engineh64h64bigbcrypt64 ab64_encode ab64_decode b64s_encode b64s_decode)deprecated_functiondeprecated_methodmemoized_property classproperty hybrid_method)ExpectedStringErrorExpectedTypeError)add_doc join_bytesjoin_byte_valuesjoin_byte_elemsirangeimapPY3u join_unicodeunicodebyte_elem_value nextgetterunicode_or_strunicode_or_bytes_typesget_method_functionsuppress_causePYPYrsys_bitsunix_crypt_schemesrounds_cost_valuesconsteqsaslprep xor_bytes render_bytes is_same_codec is_ascii_safeto_bytes to_unicode to_native_str has_crypt test_crypt safe_crypttickrng getrandbytes getrandstrgenerate_passwordis_crypt_handleris_crypt_contexthas_rounds_info has_salt_infog?Z sha512_cryptZ sha256_cryptZ sha1_cryptZbcryptZ md5_cryptZ bsdi_cryptZ des_cryptZlinearZlog2)MissingBackendError ZPASSLIB_MAX_PASSWORD_SIZEic@sjeZdZdZddZddZddZdd Zd d Zd d Z ddZ dS) SequenceMixinz helper which lets result object act like a fixed-length sequence. subclass just needs to provide :meth:`_as_tuple()`. cCstddS)Nzimplement in subclass)NotImplementedError)selfrR../../passlib/utils/__init__.py _as_tupleszSequenceMixin._as_tuplecCst|jS)N)reprrT)rQrRrRrS__repr__szSequenceMixin.__repr__cCs|j|S)N)rT)rQidxrRrRrS __getitem__szSequenceMixin.__getitem__cCst|jS)N)iterrT)rQrRrRrS__iter__szSequenceMixin.__iter__cCst|jS)N)lenrT)rQrRrRrS__len__szSequenceMixin.__len__cCs|j|kS)N)rT)rQotherrRrRrS__eq__szSequenceMixin.__eq__cCs|j| S)N)r^)rQr]rRrRrS__ne__szSequenceMixin.__ne__N) __name__ __module__ __qualname____doc__rTrVrXrZr\r^r_rRrRrRrSrOs       rOcCsetjt|j}|s"dS|j|}|rJ|jtkrJdS|t|djtkS)z*test if function accepts specified keywordFT) inspectZ signaturer/Z parametersgetZkind _VAR_ANY_SETlist _VAR_KEYWORD)funckeyZparamsargrRrRrSaccepts_keywordsrncCs1tjt|}||jkp0|jdk S)z*test if function accepts specified keywordN)rfZ getargspecr/argskeywords)rkrlspecrRrRrSrnsFc st|tr|g}t|j}|rt|trE|g}x<|D]4|rg|krgqL|krL|jqLW|rx |D]tfdd|Drq|rxt|D]2\}} t| rP|rt| |rPqWt|}nr|r}xitt |D]F\} } t| |r*t|| }||d| ksot Pq*Wd}nd}|j |qW|st ||_dS)a helper to update mixin classes installed in target class. :param target: target class whose bases will be modified. :param add: class / classes to install into target's base class list. :param remove: class / classes to remove from target's base class list. :param append: by default, prepends mixins to front of list. if True, appends to end of list instead. :param after: optionally make sure all mixins are inserted after this class / classes. :param before: optionally make sure all mixins are inserted before this class / classes. :param dryrun: optionally perform all calculations / raise errors, but don't actually modify the class. c3s|]}t|VqdS)N) issubclass).0base)mixinrRrS sz'update_mixin_classes..rdrN) isinstancetyperi __bases__removeany enumeraterrr[reversedAssertionErrorinserttuple) targetaddrzappendZbeforeafterZdryrunbasesrWrtZend_idxrR)rurSupdate_mixin_classessB      rc cs|dkrtdt|trnt|}d}x||krj||}|||V|}q<Wn}t|trt|}x_tj||}yt|}Wnt k rPYnXtj |f|VqWn t ddS)z8 split iterable into chunks of elements. rdzsize must be positive integerrzsource must be iterableN) ValueErrorrwrr[r rY itertoolsislicenext StopIterationchain TypeError)sourcesizeendinZitrZ chunk_itrfirstrRrRrSbatchs&       rcCs)t|tr3t|ts*tdd}n?t|trft|ts]tdt}n tdt|t|k}|r|}d}|s|}d}|rxht||D]\}}|||AO}qWn:x7t||D]&\}}|t|t|AO}qW|dkS)aCheck two strings/bytes for equality. This function uses an approach designed to prevent timing analysis, making it appropriate for cryptography. a and b must both be of the same type: either str (ASCII only), or any type that supports the buffer protocol (e.g. bytes). Note: If a and b are of different lengths, or if an error occurs, a timing attack could theoretically reveal information about the types and lengths of a and b--but not their values. z)inputs must be both unicode or both bytesFrrd)rwr*rbytesr'r[zipord)leftrightZ is_py3_bytesZ same_sizeZtmpresultlrrRrRrSr5;s,     )compare_digest,cCsO|j}|j|r+|dd}|s5gSdd|j|DS)zRsplit comma-separated string into list of elements, stripping whitespace. NrdcSsg|]}|jqSrR)strip)rselemrRrRrS s zsplitcomma..re)rendswithsplit)rseprRrRrS splitcommas  rvaluecsst|ts(tdt|ftjtjtfdd|D}tj d|}|sxt Stj }||dr||dst d|tj }n|}tj}tj}tj}tj}tj} tj} tj} tj} tj} xX|D]P}| s:td| sStd ||rot d |||rt d |||rt d |||rt d || |rt d|| |rt d|| |rt d|| |r3t d|| |rOt d|||rt d|qW|S)aNormalizes unicode strings using SASLPrep stringprep profile. The SASLPrep profile is defined in :rfc:`4013`. It provides a uniform scheme for normalizing unicode usernames and passwords before performing byte-value sensitive operations such as hashing. Among other things, it normalizes diacritic representations, removes non-printing characters, and forbids invalid characters such as ``\n``. Properly internationalized applications should run user passwords through this function before hashing. :arg source: unicode string to normalize & validate :param param: Optional noun identifying source parameter in error messages (Defaults to the string ``"value"``). This is mainly useful to make the caller's error messages make more sense contextually. :raises ValueError: if any characters forbidden by the SASLPrep profile are encountered. :raises TypeError: if input is not :class:`!unicode` :returns: normalized unicode string .. note:: This function is not available under Jython, as the Jython stdlib is missing the :mod:`!stringprep` module (`Jython issue 1758320 `_). .. versionadded:: 1.6 z$input must be unicode string, not %sc3s3|])}|s|r'tn|VqdS)N)_USPACE)rsc) in_table_b1 in_table_c12rRrSrvszsaslprep..ZNFKCrrdzmalformed bidi sequence in z$failed to strip B.1 in mapping stagez(failed to replace C.1.2 in mapping stagez$unassigned code points forbidden in z control characters forbidden in z$private use characters forbidden in z"non-char code points forbidden in zsurrogate codes forbidden in z!non-plaintext chars forbidden in z!non-canonical chars forbidden in z1display-modifying / deprecated chars forbidden inztagged characters forbidden in zforbidden bidi character in re)rwr*rrx stringpreprrr) unicodedataZ normalize_UEMPTYZ in_table_d1rZ in_table_d2 in_table_a1in_table_c21_c22 in_table_c3 in_table_c4 in_table_c5 in_table_c6 in_table_c7 in_table_c8 in_table_c9r~)rparamdataZ is_ral_charZis_forbidden_bidi_charrrrrrrrrrrrR)rrrSr6sf,                          cCstdtdS)zstub for saslprep()z>saslprep() support requires the 'stringprep' module, which is N)rP_stringprep_missing_reason)rrrRrRrSr6scGsHt|tr|jd}|tdd|D}|jdS)aPeform ``%`` formating using bytes in a uniform manner across Python 2/3. This function is motivated by the fact that :class:`bytes` instances do not support ``%`` or ``{}`` formatting under Python 3. This function is an attempt to provide a replacement: it converts everything to unicode (decoding bytes instances as ``latin-1``), performs the required formatting, then encodes the result to ``latin-1``. Calling ``render_bytes(source, *args)`` should function roughly the same as ``source % args`` under Python 2. .. todo:: python >= 3.5 added back limited support for bytes %, can revisit when 3.3/3.4 is dropped. zlatin-1css3|])}t|tr'|jdn|VqdS)zlatin-1N)rwrdecode)rsrmrRrRrSrv,szrender_bytes..)rwrrrencode)rrorrRrRrSr8s cCstj|dS)Nbig)int from_bytes)rrRrRrS bytes_to_int2srcCs|j|dS)Nr)r;)rcountrRrRrS int_to_bytes4sr)hexlify unhexlifycCstt|dS)N)rr)rrRrRrSr9scCstd|d>|S)Nz%%0%dxrd)r)rrrRrRrSr;sz/decode byte string as single big-endian integerz/encode integer as single big-endian byte stringcCs#tt|t|At|S)z;Perform bitwise-xor of two byte strings (must be same size))rrr[)rrrRrRrSr7AscCs*d|dt|}||d|S)zE repeat or truncate string, so it has length rdN)r[)rrmultrRrRrS repeat_stringEsrcCs)d|dt|}t|||S)zN variant of repeat_string() which truncates to nearest UTF8 boundary. rd)r[ utf8_truncate)rrrrRrRrSutf8_repeat_stringMsrscCsat|}||krO|dkr?t|tr9tnt}||||S|d|SdS)z>right-pad or truncate string, so it has length N)r[rwr*_UNULL_BNULL)rrZpadZcurrRrRrSright_pad_stringXs    rcstts!ttdt}|dkrLtd||}||kr\St|d|}xG||krt|d@dkrP|d7}qrW||kstd|fdd }|stS) a helper to truncate UTF8 byte string to nearest character boundary ON OR AFTER . returned prefix will always have length of at least , and will stop on the first byte that's not a UTF8 continuation byte (128 - 191 inclusive). since utf8 should never take more than 4 bytes to encode known unicode values, we can stop after ``index+3`` is reached. :param bytes source: :param int index: :rtype: bytes rrrdNc sNyjd}Wntk r+dSYnX|jjdsJtdS)Nzutf-8T)rUnicodeDecodeError startswithr~)text)rrrRrS sanity_checks   z#utf8_truncate..sanity_check)rwrr r[maxminr+r~)rindexrrrR)rrrSrcs"    rs aA:#!asciicCstj|tkS)zRTest if codec is compatible with 7-bit ascii (e.g. latin-1, utf-8; but not utf-16))_ASCII_TEST_UNICODEr_ASCII_TEST_BYTES)codecrRrRrSis_ascii_codecsrcCs<||krdS|o|s dSt|jt|jkS)z3Check if two codec names are aliases for same codecTF) _lookup_codecname)rrrRrRrSr9s   s€cs8t|trtnttfdd|DS)z.)rwr_B80_U80all)rrR)rrSr:szutf-8cCs}|s tt|trN|rGt|| rG|j|j|S|Sn+t|trj|j|St||dS)aHelper to normalize input to bytes. :arg source: Source bytes/unicode to process. :arg encoding: Target encoding (defaults to ``"utf-8"``). :param param: Optional name of variable/noun to reference when raising errors :param source_encoding: If this is specified, and the source is bytes, the source will be transcoded from *source_encoding* to *encoding* (via unicode). :raises TypeError: if source is not unicode or bytes. :returns: * unicode strings will be encoded using *encoding*, and returned. * if *source_encoding* is not specified, byte strings will be returned unchanged. * if *source_encoding* is specified, byte strings will be transcoded to *encoding*. N)r~rwrr9rrr*r)rencodingrZsource_encodingrRrRrSr;s  cCsN|s tt|tr|St|tr;|j|St||dS)aHelper to normalize input to unicode. :arg source: source bytes/unicode to process. :arg encoding: encoding to use when decoding bytes instances. :param param: optional name of variable/noun to reference when raising errors. :raises TypeError: if source is not unicode or bytes. :returns: * returns unicode strings unchanged. * returns bytes strings decoded using *encoding* N)r~rwr*rrr)rrrrRrRrSr<s   cCsBt|tr|j|St|tr/|St||dS)N)rwrrr*r)rrrrRrRrSr=s  cCsBt|tr|St|tr/|j|St||dS)N)rwrr*rr)rrrrRrRrSr=s  a>Take in unicode or bytes, return native string. Python 2: encodes unicode using specified encoding, leaves bytes alone. Python 3: leaves unicode alone, decodes bytes using specified encoding. :raises TypeError: if source is not unicode or bytes. :arg source: source unicode or bytes string. :arg encoding: encoding to use when encoding unicode or decoding bytes. this defaults to ``"utf-8"``. :param param: optional name of variable/noun to reference when raising errors. :returns: :class:`str` instance Z deprecatedz1.6Zremovedz1.7cCst||ddS)z'deprecated, use to_native_str() insteadrhash)r=)rrrRrRrS to_hash_str$srz true t yes y on 1 enable enabledz#false f no n off 0 disable disablednoneZbooleancCs|dkstt|tr||jj}|tkrCdS|tkrSdS|tkrc|Std||fn-t|t r|S|dkr|St |SdS)z\ helper to convert value to boolean. recognizes strings such as "true", "false" TFNzunrecognized %s value: %r)TFN) r~rwr.lowerr _true_set _false_set _none_setrbool)rrrZcleanrRrRrSas_bool-s    rc CsLtst|t rdSy|jddSWntk rGdSYnXdS)z UT helper -- test if value is safe to pass to crypt.crypt(); under PY3, can't pass non-UTF8 bytes to crypt.crypt. Tzutf-8FN)crypt_accepts_bytesrwrrr)rrRrRrSis_safe_crypt_inputGs  r)cryptcCsdS)NrR)secretrrRrRrSr@]sTr) nullcontextz*:!sZxxcCsltr]t|tr$|jd}t|kr<tdt|tr|jd}nt|tr|}y|jd}Wntk rdSYnX|jd|kst dt |krtdt|tr|jd}y!t t ||}WdQRXWnt k r.dSYnXt|trM|jd}| sd|dtkrhdS|S)Nzutf-8znull character in secretrz"utf-8 spec says this can't happen!r)rrwr*rrrrrrr~_NULL_safe_crypt_lock_cryptOSError_invalid_prefixes)rrZorigrrRrRrSr@s:         c Cst|tr|jd}t|kr6tdt|trT|jd}tt||}WdQRX|s{dS|jd}|dtkrdS|S)Nzutf-8znull character in secretrr) rwr*rrrrrrr)rrrrRrRrSr@s  aWrapper around stdlib's crypt. This is a wrapper around stdlib's :func:`!crypt.crypt`, which attempts to provide uniform behavior across Python 2 and 3. :arg secret: password, as bytes or unicode (unicode will be encoded as ``utf-8``). :arg hash: hash or config string, as ascii bytes or unicode. :returns: resulting hash as ascii unicode; or ``None`` if the password couldn't be hashed due to one of the issues: * :func:`crypt()` not available on platform. * Under Python 3, if *secret* is specified as bytes, it must be use ``utf-8`` or it can't be passed to :func:`crypt()`. * Some OSes will return ``None`` if they don't recognize the algorithm being used (though most will simply fall back to des-crypt). * Some OSes will return an error string if the input config is recognized but malformed; current code converts these to ``None`` as well. cCsJt|ts%tdt||s7tdt|||kS)zcheck if :func:`crypt.crypt` supports specific hash :arg secret: password to test :arg hash: known hash of password to use as reference :returns: True or False z#hash must be unicode_or_str, got %szhash must be non-empty)rwr-r~rxr@)rrrRrRrSr?s cCsEtjd|}|rAtdd|jdjdDSdS)zhelper to parse version stringz(\d+(?:\.\d+)+)css|]}t|VqdS)N)r)rsrrRrRrSrvsz parse_version..rd.N)researchrgroupr)rmrRrRrS parse_versions)rrdcCsddlm}t|drbt|drby|j}Wn!tk ra|jd}YnXtd|ttdrtjnd t t t j t t rtjd jd ndf}t||jd jd S)z.generate prng seed value from system resourcesr)sha512getstate getrandbitsrdz%s %s %s %.15f %.15f %sgetpidN zlatin-1zutf-8ri)ZhashlibrhasattrrrPrr(osridobjecttimerA has_urandomurandomrrrZ hexdigest)rrrrRrRrSgenseeds    (r cs,s tSfdd}t|S)z]return byte-string containing *count* number of randomly generated bytes, using specified rngc3sMjd>}d}x-|krH|d@V|dL}|d7}qWdS)Nrrrd)r)rr)rrBrRrShelperMs   zgetrandbytes..helper)_BEMPTYr#)rBrr rR)rrBrSrCBs csdkrtdtdkr<tddkrPSfdd}ttrt|St|SdS)z|return string containing *count* number of chars/bytes, whose elements are drawn from specified charset, using specified rngrzcount must be >= 0zalphabet must not be emptyrdc3sTjd}d}x1|krO|V|}|d7}qWdS)Nrrd)Z randrange)rr)charsetrlettersrBrRrSr fs   zgetrandstr..helperN)rr[rwr*r)r$)rBrrr rR)rrrrBrSrDWs        Z42346789ABCDEFGHJKMNPQRTUVWXYZabcdefghjkmnpqrstuvwxyzz2.0Z replacementz/passlib.pwd.genword() / passlib.pwd.genphrase() cCstt||S)awgenerate random password using given length & charset :param size: size of password. :param charset: optional string specified set of characters to draw from. the default charset contains all normal alphanumeric characters, except for the characters ``1IiLl0OoS5``, which were omitted due to their visual similarity. :returns: :class:`!str` containing randomly generated password. .. note:: Using the default character set, on a OS with :class:`!SystemRandom` support, this function should generate passwords with 5.7 bits of entropy per character. )rDrB)rrrRrRrSrEvsr setting_kwds context_kwdsverifyridentifycstfddtDS)z4check if object follows the :ref:`password-hash-api`c3s|]}t|VqdS)N)r)rsr)objrRrSrvsz#is_crypt_handler..)r_handler_attrs)rrR)rrSrFs needs_update genconfiggenhashencryptcstfddtDS)zOcheck if object appears to be a :class:`~passlib.context.CryptContext` instancec3s|]}t|VqdS)N)r)rsr)rrRrSrvsz#is_crypt_context..)r_context_attrs)rrR)rrSrGscCs%d|jko$t|dddk S)z_check if handler provides the optional :ref:`rounds information ` attributesroundsZ min_roundsN)rgetattr)handlerrRrRrSrHscCs%d|jko$t|dddk S)z[check if handler provides the optional :ref:`salt information ` attributesZsaltZ min_salt_sizeN)rr)rrRrRrSrIsr)rrJr)rrr)rrrrrr)rrrrrr)rcpasslib.utils.compatrZbinasciirrrZ_BinAsciiErrorbase64rrcollections.abcrr ImportError collectionscodecsr r functoolsr rrflogging getLoggerr`logZmathrsysZrandomrrrrr threadingZtimeittypeswarningsr Zpasslib.utils.binaryr rrrrrrrrrrrrZpasslib.utils.decorrrrrrZ passlib.excrr r!r"r#r$r%r&r'r(r)r*r+r,r-r.r/r0r1__all__rmaxsizeZmaxintr2r3r4rKr rrenvironrgZMAX_PASSWORD_SIZErrOZ ParameterZ VAR_KEYWORDrjsetZVAR_POSITIONALrhrnrrr5Z str_consteqZhmacrrr6r8rrrrr7rrrrrrrrrrr9rrr:r;r<r=rrrrrrrrrr>rZcrypt_needs_lockrr@rZpypy_version_infoLockrrrr?Z default_timerZtimerrArr rrPr Z SystemRandomrBZRandomrCrDZ _52charsetrErrFrrGrHrIrRrRrRrSs                 X(p .       V  >              F    %  +      /        !